# Engram — Outstanding Issues

**Last updated:** 2026-04-03
**Status:** All critical, high, and most medium issues RESOLVED.

---

## RESOLVED

### Security (all fixed)
- Credentials rotated (Matrix secret, API tokens generated)
- Tailscale env file removed (not needed)
- Ripgrep flag injection fixed (-- separator)
- Subprocess timeouts added (30s server, 10s guardrail)
- WebSocket gateway bound to 127.0.0.1
- Timing-safe token comparison everywhere (hmac.compare_digest)
- Worker API default bind to 127.0.0.1
- SQLite busy timeout for concurrent access
- FTS5 probe uses in-memory DB

### Code Quality (all fixed)
- atomic_dump handles Markdown and JSON
- Consolidator batch processing (not all 49K in memory)
- O(n) hash-based grouping replaces O(n2) merge
- Archive and quarantine name collision prevention
- Logging path bug fixed

### Tests (67/67 passing)
- Server, guardrail, consolidator, librarian, index all passing

### Data
- Universal session ingester built
- 222 Goose + 51 Hermes sessions ingested
- Frontmatter repair script ready

---

## REMAINING (non-blocking)

1. Run frontmatter repair on 48K legacy files
2. Obsidian wikilinks and knowledge graph (documented in docs/OBSIDIAN_COMPATIBILITY.md)
3. VPN interview test (pre-existing, not our change)
4. Recursive retrieval (future feature)
5. File watcher daemon for auto-ingestion
6. CWD-relative checkpoint paths (low risk)